The Breakdown - Ripple's Fortress Acquisition Shows the Brittleness of Crypto Infrastructure
Episode Date: September 12, 2023On Friday Ripple announced that it was acquiring Fortress Trust. On Monday we learned that, counter to previous statements, a recent security incident at Fortress had caused the loss of customer funds.... NLW explores wtf is going on and what it says about the state of the crypto industry. Enjoying this content? SUBSCRIBE to the Podcast: https://pod.link/1438693620 Watch on YouTube: https://www.youtube.com/nathanielwhittemorecrypto Subscribe to the newsletter: https://breakdown.beehiiv.com/ Join the discussion: https://discord.gg/VrKRrfKCz8 Follow on Twitter: NLW: https://twitter.com/nlw Breakdown: https://twitter.com/BreakdownNLW
Transcript
Discussion (0)
Welcome back to The Breakdown with me, NLW.
It's a daily podcast on macro, Bitcoin, and the big picture power shifts remaking our world.
What's going on, guys? It is Tuesday, September 12th, and today we are talking about all of this dust-up with fortress and the ripple acquisition and what it means and who you should be mad at.
Before we get into that, however, if you are enjoying the breakdown, please go subscribe to it, give it a rating, give it a review, or if you want to dive deeper into the conversation, come join us on the break.
Discord. You can find a link in the show notes or go to bit.ly slash breakdown pod.
All right, friends, well, today we are talking about one of the biggest discussion points for the last
week or so on Twitter, which has been the issue surrounding Fortress Trust. Let's begin our
particular slice of the story on Friday when Ripple announced that they had acquired Fortress Trust.
Now, the deal was pitched as an expansion of Ripple's regulated crypto offering as they
built out a vertically integrated blockchain services product suite, and Monica Long, the president,
and of Ripple said in a statement, licenses are a powerful enabler to build and deliver best-in-class
customer experiences for enterprises using Ripple's crypto infrastructure across our payments and
liquidity solutions. What she was referring to is the fact that Fortress Trust holds a Nevada
State Trust license, which allows it to custody crypto and act as a financial intermediary with the
traditional financial system. This would add then to Ripple's existing strategy of accumulating
licenses. Between Ripple and its subsidiaries, the corporate group now holds 30 state money transmitter
licenses, a New York State Bit license, and a major payment institution license from the monetary
authority of Singapore. So commentary over the weekend on this fell into two camps. On the one hand,
this could have simply been Ripple buying a company to add a custody service to its one-stop shop
approach to crypto. On the other hand, many viewed this as a quiet bailout of Fortress.
And indeed, the Friday acquisition announcement was slightly strange in tone.
executives asserted that Fortress could add a key piece to Ripple's vertically integrated
crypto offering. However, the deal announcement was a little bit out of sync with previous
announcements from Ripple. Specifically, the acquisition valuation was not mentioned, which was out
of character for Ripple who had brashly announced a $250 million deal to acquire Crypto
Custodian Medico in May. And of course, we have to put it in the context into which it happened.
Fortress itself was already viewed with skepticism. The licensed crypto-custodian had been
founded by former Prime Trust CEO Scott Purcell in December of 2021. Purcell had left Prime Trust
in January of that year. That was around the same time that Prime Trust mishandled wallet storing
customer funds leading to an $83 million shortfall. Several key executives left Prime Trust to follow
Purcell into his new venture. The firm was also aggressive in hiring former banking regulators
to their team. The rift between companies was so acrimonious that there were even allegations
of IP theft and taking software systems built at Prime Trust across to Fortress.
June of this year, the shortfall in customer funds at Prime Trust came to light. Around this,
the company was first placed into receivership by the Nevada regulator and later declared bankruptcy.
Now, prior to Prime Trust acknowledging their insolvency, numerous high-profile customers
fled for other custodians. It was already widely suspected that Prime Trust was insolvent
at the time. The most impactful departure from Prime Trust was Swan Bitcoin. In June, Swan
announced that they would be transferring all customer funds held in custody to Fortress. The transfer
took over a week and involved a shutdown of automated transactions with Swan. To many, it felt like
an emergency operation more than a normal business decision, although throughout the process,
Swan executives assured customers that funds were safe. So this is where we were over the weekend.
Lots of speculation, lots of questions around Fortress, lots of questions around Ripple,
and on Monday, new information came to light around the circumstances surrounding the Fortress
acquisition. The day before the acquisition, my birthday, September 7th, Fortress had posted a
disclosure about a security incident which they tried to make seem relatively innocuous.
On that day, they tweeted,
Last week, four Fortress customers were impacted by a third-party vendor whose cloud tools were
compromised.
Thankfully, there is no breach within Fortress technology or systems.
Impacted accounts were fully restored.
And most importantly, of course, there is no loss of funds.
We immediately terminated the vendor integration, and out of an abundance of caution paused
all accounts to assess and ensure system-wide security.
We are taking all necessary measures to make sure the vendor is
held accountable. Although this has been resolved, transparency, and security are of the utmost
important to us and our customers. We also have some big company news we are excited to share
later this week. Now, Ryan Weeks, a reporter at the block, received a tip that the incident had
been far more impactful than it was made out to be. Indeed, he was told that 450 Bitcoin
worth around 11.3 million had been stolen from Fortress Trust, although that specific amount has
been unable to be verified. What has been verified is that the Ripple deal was much more of a
bailout of Fortress than it initially seemed. A Ripple spokesperson said, quote,
Conversations accelerated last week following the security incident via a third-party analytics vendor,
but this opportunity makes sense for Ripple in the long term. Luckily, Ripple was in a position
to act quickly to step in and make customers whole, and there have been no breaches to Fortress
technology or systems. Fortress notified customers immediately of the incident when it happened,
as they mentioned in their tweets. Now, for those of you eagle-eyed observers out there,
or I guess eagle-eared as the case may be, owl-eared, whatever, you'll notice. You'll notice
Notice that Fortress's Thursday statement said, quote, impacted accounts were fully restored,
and quote, there is no loss of funds. This is technically consistent with Ripple swooping in to
make customers whole, but also somewhat misleading if, in fact, Ripple had had to bail Fortress
out to make those customers whole, but also somewhat misleading if Ripple indeed had to come in
to make sure that those customers didn't actually lose their funds. Now, what was also made clear
on Monday is that the Ripple deal is still pending regulatory and due diligence approvals.
Given that we already saw the BitGo acquisition of Prime Trust fall apart during the due diligence
process earlier this year, there is certainly no guarantee that it actually goes through.
Now, of course, as you've already heard, there are numerous other companies tangled up in this mess.
Swan Bitcoin is, of course, one of Fortress's most well-known customers.
They have been in an absolute narrative battle, and have claimed throughout that they were
completely unaffected by the issue and that client funds remained safe.
The other companies impacted are the custodian services subcontracted by Fortress.
Their role in the industry is mainly as the holder of a relevant trust license rather than as a tech provider.
We know, for example, that hot wallet services are provided by fireblocks, while cold storage is provided by BitGo.
And indeed, with the behind-the-scenes detail now made public, BitGo CEO Mike Belchie wrote a Twitter thread
outlining his disappointment with how the entire debacle was handled.
On Monday, Mike wrote,
I can't express enough how upsetting this Fortress Trust episode is to me.
I really don't want to talk about it at all because it actually has nothing to do with Bitco.
But because Fortress was not forthcoming about what actually did happen, we are now indirectly
affected. Fortress's clients are wondering what happened if they are still at risk, and whether
Bickgo was somehow involved. Spoiler alert, we were not. When Fortress lost funds, they chose to
omit facts about what happened, downplay the event, and conclude, quote, most importantly,
no funds were lost. Obviously, we now know this was not true. I guess what they meant to say is,
we believe we fix the problem, and we have taken steps to make sure clients are made whole.
But those two statements are not even close to being the same.
Ripple has done the right thing and disclosed that a breach did occur.
But Fortress still has not made a real statement about what actually happened.
So, summarizing what is publicly known, along with what we know from BitGo.
One, Fortress suffered a breach through some third-party integration, not BitGo.
Two, via Fortress's platform and some third-party integration, the attacker was able to drain
funds from Fortress's hot wallet system.
Three, Fortress used fireblocks for its hot wallet system.
Four, Fortress noticed the failure and says they have fixed the problem with the third party.
Five, although Fortress did use BitGo to custody some of its Bitcoin and digital assets,
BitGo was not affected. None of the Fortress assets held at Bitcoin were at risk from this third-party
integration or taken. After the breach, Fortress reached out to Bitco. Bitgo strongly advised Fortress
to disclose what happened immediately. Fortress did not do that. Eventually, Fortress decided
to sell to Ripple. This is a great outcome because Ripple was able to make all clients whole
and will hopefully help Fortress with resources to correct the security weaknesses which led to this event.
Ripple is a good actor here and should be applauded.
The real victims here are Fortress's clients who deserve enough respect to get the whole truth.
They are not to be blamed.
The whole situation is exactly why we need decentralization.
We can't continue to be dependent on the honesty of custodians, bankers, or trusted third parties,
acting with integrity when bad things happen.
Bad things will happen and most humans don't have enough courage to be honest through it.
So there are a lot of things that people are upset about here.
One of the biggest strands of conversation has been around Swan.
On September 11th, the company tweeted,
Swan client coins are ininsured cold wallets at BitGo and did not move during the reported incident
at Fortress.
The coins are protected by video calls and physical access and are not subject to any incidents
at Fortress.
Swan set up disagreement with Fortress to use BitGo as a cold storage subcustodian
precisely to prevent such a scenario.
Swan has direct on-chain visibility to funds at BitGo.
When someone asked what kind of insurance Swan was referring to, Corey Clipson the CEO said
it's $250 million per wallet, with no wallet holding more than $250 million, provided by Lloyds of London.
It's the best setup we've seen. As always, take self-cesteady if you're willing and able.
Now, responding to the critique in general of Swan being associated with these companies,
which now have a less than stellar record handling customer assets and are now owned by a company
that is anathema to many bitcoiners, Corey wrote,
separation of brokerage and custody is the model for traditional assets for good reason,
And there's a good probability it becomes law for digital assets in the U.S.
I am not a fan of the Trust Me Bro model of brokerage in custody under the same roof like Mount
Gox at FTX.
The goal is to have no single company able to unilaterally move user funds.
We very intentionally set up Fortress and BitGo with that model.
Now, I understand the narrative frustration here, but at the end of the day, the reason
that Swan had to work with these companies is that there just wasn't anyone else.
This is why, as much as some Bitcoiners are worried about the entrance of traditional
financial actors into the space, many others view it as necessary to just have more market options
for crypto-native brokerage companies like Swan to actually work with. Anyways, the whole thing is a mess,
reflective of how bad the infrastructure is for crypto and Bitcoin right now in the U.S.,
and a reminder of just how challenging digital assets are, even for companies that have big history
in the space. Now, the one other big story from yesterday that I want to cover was the FTX creditor update.
The FTX bankruptcy team reports that they have marshaled around $7 billion in assets,
Using updated valuations from the end of August, the estate holds $3.4 billion in major crypto tokens.
This includes $560 million in Bitcoin, $192 million in ETH, and $1.1 billion in Solana.
Now, of that, it appears that only $137 million worth of Solana is listed as vesting,
meaning a much larger portion of the tokens may be eligible for sale than previously thought.
The non-crypto assets include 38 properties in the Bahamas worth around $200 million,
as well as $529 million worth of securities primarily made up of grayscale Bitcoin Trust share,
$2.6 billion in cash, and $4.5 billion in venture investments, although no current valuation of those
investments was provided. The firm's liabilities show $65 billion in non-customer claims. Now, that figure
is massively inflated by a $43.5 billion claim from the IRS, which is presumed to be subordinated
to customer claims. The IRS generally submits the largest possible tax claim during bankruptcy
proceedings, but often negotiates down significantly or defers entirely to a creditor distribution.
Of the remaining liabilities, a $9.2 billion claim from FTX digital markets is assumed to be
invalid or redundant, which leaves $4.1 billion claimed by Genesis and $2 billion claimed by Celsius
as the major non-customer claims to deal with. So far, a little over 36,000 customers have filed
claims totaling $16 billion. Of the claims that have been scheduled so far, around 10% of
customers have agreed to their scheduled claims, while 18% have disputed their claims and 72%
have yet to respond with either an agreement or a dispute. Now, easily the most discussed part of the
news, dealt with the firm's clawback strategy. Transactions done within a 90-day window of the
bankruptcy filing can be eligible for a clawback, but in practice, not all claims are pursued.
The estate has successfully pursued 58 million in claims so far, and they identify an additional
$16.6 billion in clawbacks that could be pursued. The state is currently considering how to deal
with customer clawbacks where users withdrew from the exchange close to the bankruptcy being filed.
Several options being looked at included the full 90-day window for clawbacks, as well as a shorter
15-day window, which captures the major public news surrounding the FTCS collapse.
Travis Kling tweeted about this saying,
Since the beginning of the FTCS bankruptcy, folks have assumed normal course of business defense
would protect customers.
Per this report, it looks like normal course will not be defensible in the 15-day period
before the petition date.
We see that FDX experienced 11.2 billion of withdrawals in the 15-day window.
If this ends up actually happening, the estate may be suing a thousand or more customers.
Per the slides, 2,451 accounts withdrew greater than $500,000.
in the 15-day window. This brings up a big question of executability. How feasible is it for the estate to go
sue people in every corner of Earth? This is a really surprising turn in this deal. Everyone was thinking
this outcome was quite unlikely the entire time. If the estate ends up doing what it looks like they want to,
it will change the nature of this bankruptcy process. We'll learn more at the 9-13 hearing.
Indeed, the estate is due in court tomorrow Wednesday for an omnibus hearing, which will cover numerous
aspects of the case, including the potential liquidation of crypto holdings as well. You might remember
that three weeks ago, FTX asked for permission to appoint Galaxy Digital as a selling agent.
Selling would initially have a limit of $100 million per week, which could increase to
$200 million if creditors agree. Now, the market has obviously begun to price in significant fear
of this FTX liquidation. Sunday, for example, saw liquidity breakdown in Salana as rumors of
imminent dumping spread. And yet many think that the market is overreacting. Jeff Dorman,
the CIO at ARCA, said, the way crypto market makers and traders are front-running the FTCS supply
shows a complete misunderstanding of how a syndicated sale process works.
This isn't an everyman for himself VC unlock.
This is a court-ordered process that Galaxy will sell very slowly and opportunistically.
Lastly, the potential reboot of the exchange remains a possibility.
According to the report, 75 bidders have been contacted.
The report stated that, quote,
proposals are being evaluated.
Transaction timing will depend on nature of transactions,
readiness of bidder, and other considerations.
So, friends, if there are currently two archetypes of breakdown episodes,
with one being legal battles that are increasingly poking towards a positive direction for this industry,
and the other being clean up from the excesses of years past, this unfortunately was one of the
latter. But as they say, the only way out is through. And so until next time, be safe and take care of
each other. Peace.